The CDC is the main federal agency that oversees government and private bioterror lab safety involving agents dangerous to people. / Kimberly Smith, AJC

by Alison Young, USA TODAY, USATODAY

by Alison Young, USA TODAY, USATODAY

Laboratories at the Centers for Disease Control and Prevention have been repeatedly cited in private government audits for failing to properly secure potential bioterror agents such as anthrax and plague, and not training employees who work with them, according to "restricted" government watchdog reports obtained by USA TODAY.

"These weaknesses could have compromised [CDC's] ability to safeguard select agents from accidental or intentional loss and to ensure the safety of individuals," according to a 2010 report by the Department of Health and Human Services' inspector general.

The IG probed federal lab security after a scientist at an Army lab was implicated in the anthrax attacks in 2001. The IG also noted problems with CDC lab security in reports from 2009 and 2008.

The reports - which are prompting concern among some key members of Congress - offer a rare window into the CDC's performance on safety and security issues when working with the world's most dangerous pathogens.

The CDC is the main federal agency that oversees government and private bioterror lab safety involving agents dangerous to people, but it refuses to release copies of its lab inspection reports. The IG's office released its reports to USA TODAY in response to a Freedom of Information Act request.

CDC officials said nobody was endangered because their labs have redundant layers of safety and security to protect employees and the public. When issues arise, they are fixed immediately, said Joseph Henderson, director of the CDC's Office of Safety, Security and Asset Management. "We always take it seriously," he said. "We strive for perfection."

The issues cited in the IG reports are "troubling," said U.S. Rep. Fred Upton, chairman of the House Committee on Energy and Commerce. His committee has been examining federal regulation of bioterror labs in the wake of USA TODAY reports last summer about incidents at CDC labs in Atlanta of security doors left unlocked and issues with airflow systems that help prevent the release of infectious agents. The newspaper's earlier reports, which involved incidents in 2009-2012, were based on leaked internal e-mails and other records.

The IG reports were heavily redacted by government officials because they contain "restricted, sensitive information." Still Upton, R-Mich., said they "show the need for better scrutiny over the handling of select agents ... and we intend to immediately look into the issues raised."

The reports also concerned U.S. Rep. Henry Waxman of California, the ranking Democrat on the committee. He said, "There appears to be long-standing and recurring problems at CDC's labs which underscore the need to increase oversight and to ensure that appropriate action is taken to correct these problems permanently."

The issues cited in the IG's audits include:

Failing to ensure the physical security of bioterror agents or restrict access to approved individuals. The 2009 report cites coding on electronic cards that allowed overly broad access to approved workers, allowing them wide access to all bioterror research areas, rather than just the specific areas or specimen freezers for their projects. Most of the details in the 2010 report were redacted.

Failing to ensure that those working with and around potential bioterror agents have received required training. The 2010 report says auditors couldn't verify that 10 of 30 employees sampled had the required training. The 2009 report says the labs "did not provide biosafety and security training to 88 of 168 approved individuals" before they were given access to work areas for bioterror agents.

Not ensuring that only approved individuals accepted packages containing potential bioterror agents arriving from other outside labs. The 2010 audit identified six unapproved people - five from a delivery contractor and one security guard - who received and signed for the packages. The 2008 report, which focused on security of arriving packages, also identified issues.

In 2008, the FBI implicated a microbiologist working at an Army biodefense lab as being responsible for the anthrax letter attacks, which killed five and sickened 17. The scientist, Bruce Ivins, took a fatal overdose of Tylenol while under scrutiny.

It is not clear which germs or toxins, known as "select agents" in federal regulations, were involved in the CDC incidents that occurred from 2005 to 2009. Select agents are all dangerous pathogens and include the ebola virus, monkeypox virus, the toxin that causes botulism and ricin, a deadly poison that made headlines in 2003 after a potential London terror attack was foiled.

Although the locations of the CDC labs examined by the IG's auditors were redacted from the reports, Henderson said the 2010 and 2008 audits involved labs on the CDC's main campus in Atlanta, and the 2009 audit was of the agency's labs in Fort Collins, Colo.

Rutgers university biosafety expert Richard Ebright, who reviewed the IG reports at USA TODAY's request, said the issues cited are significant and repeated. "There is no evidence of improvement. Some of the same kinds of violations occurred repeatedly over the three-year review period," he said. "It is ironic that the institution that sets U.S. standards for safety and security of work with human pathogens fails to meet its own standards."

In the wake of USA TODAY's reports last June and concerns about the CDC policing itself, the CDC agreed last August to have its labs inspected by bioterror lab experts from the U.S. Department of Agriculture. The USDA has inspected CDC labs twice, said CDC spokesman Tom Skinner, and inspections will occur every 12 to 18 months.

The CDC would not share copies of its most recent inspection reports, saying it is agency policy not to release them for security reasons. Yet to document that CDC had corrected airflow issues at its Emerging Infectious Diseases Laboratory in Atlanta, the agency on Friday provided USA TODAY a copy of an external lab safety review done at the CDC's request by biosafety experts from Canada's public health agency. The Canadian review at the $214 million 11-story lab complex known as Building 18, says it found no issues of "non-compliance" that pose health and safety risks.

The CDC has not responded to USA TODAY's FOIA requests filed eight months ago for copies of its inspection reports for Building 18's labs, nor has it responded to requests for documents about the building's lab security and airflow incidents.